bug with SGN_ALG_MD2_5 case handling in kg_unseal_v1()?

[Benjamin Kaduk]

On Thu, Apr 13, 2017 at 02:55:56PM -0500, Will Fiveash wrote:
> In src/lib/gssapi/krb5/k5unseal.c:kg_unseal_v1() at line 381 which is
> part of the case SGN_ALG_MD2_5 block I see:
> 
>         code = k5_bcmp(md5cksum.contents, ptr + 14, 8);
>         /* Falls through to defective-token??  */
> 
>     default:
>         *minor_status = 0;
>         return(GSS_S_DEFECTIVE_TOKEN);
> 
> This seems like a bug given the processing that precedes this, thoughts?

Perhaps.  On the other hand, how much do you trust anything with MD2
in its name...

-Ben